A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection

Abstract

In recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and further to the failure of physical components, thus leading to cyber–physical attacks. In this paper, we present a novel unsupervised cyber–physical anomaly detection framework based on a hybrid “multi-formalism” approach that combines the outcomes of multiple unsupervised behavior-based anomaly detectors through a Bayesian network-based probabilistic modeling of the ICS. More precisely, the framework consists of two behavior-based anomaly detection modules that monitor separately and simultaneously the behavior of cyber and physical data acquired from the ICS. The outputs of such modules are filtered and combined through a Bayesian network-based modeling in order to improve the trustworthiness of the detected anomalies and to provide the detection probability of cyber, physical, and cyber–physical anomalies, taking into account possible cascading effects over the cyber–physical process. The outcomes achieved through the implementation of our framework on the hardware-in-the-loop Water Distribution Testbed (WDT) dataset show very high detection performance with a strong ability to reject false positive events and to isolate and localize the anomalies over the cyber–physical process.